How vulnerable is voice unlocking?

November 6, 2018

Transcript

Hey Google unlock the front door.
[MUSIC]
Can I have your security code to unlock the front door?
[MUSIC]
[INAUDIBLE].
Okay unlocking the front door.
Unlocking your door with a voice command is convenient but as you just heard most smart lock makers require a pin for added security and that extra step can be kind of a hassle.
If you wanna work around it, there is a way to do that.
Hey google, unlock the front door.
Okay, unlocking the front door.
I created an if recipe to get around the pin code, it only works if If you have a Z-Wave lock connected to a Z-Wave hub, and you create a custom command for Google or Alexa like unlock the front door.
Once you set that up and you ask it to do that action, it'll go through the hub and unlock the door without asking for a PIN code.
So setting up this recipe obviously makes unlocking your door more convenient, but it also sets your home up for vulnerabilities like this.
[MUSIC]
Hey Google, unlock the front door
[MUSIC]
Okay, unlocking your front door.
[MUSIC]
Security researcher, Brad Winderman Haynes brought this exploit to our attention.
And it works using an audio transducer like this one.
Unlike a conventional speaker that vibrates a cone of material to produce sound, an audio transducer vibrates the surface it's attached to turning the entire thing into a speaker.
So, that's how my video producer Tyler was able to unlock our lock from the outside.
With a voice command recorded on the phone and the phone connected via Bluetooth to the vibration transducer, he held the transducer up to a window, turning the entire window into a speaker, and that's how Google was able to hear the command.
Now, obviously, if someone were going to exploit your home this way, they would need to know a few key facts about your setup.
And if you were at home or you had if notifications enabled, you would definitely notice.
Still, it's one reason why you should always use a PIN code unlocking your door even if it is a little bit more of a hassle.
Just to be clear, in this video we used a Google Home, but the exploit would work with any voice assistant that allows a custom command like the exploit requires.
We asked August, [UNKNOWN] and Yale about this vulnerability, and all three companies confirmed that the customization option is possible.
But they discourage smart lock owners from unlocking without a pin and prioritizing convenience over security.
[MUSIC]